<div dir="ltr">Thanks Jeff,<div><br></div><div>The challenge is that, we are not directly calling RAND_poll(). We just call <b>DH_generate_key</b> for DH key. </div><div>From the following call stacks, you can see the RAND_poll() is triggered by ssleay_rand_bytes.<br></div><div><br></div><div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!<b>RAND_poll</b>() Line 572<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!ssleay_rand_<wbr>bytes(unsigned char * buf=0x03318fe0, int num=128, int pseudo=0) Line 395<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!ssleay_rand_<wbr>nopseudo_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 536 + 0xf bytes<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!RAND_bytes(<wbr>unsigned char * buf=0x03318fe0, int num=128) Line 164 + 0x10 bytes<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px">><span style="white-space:pre-wrap"> </span>libeay32d.dll!BN_rand(bignum_<wbr>st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 213 + 0x17 bytes<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!generate_key(dh_<wbr>st * dh=0x03316a88) Line 170 + 0x11 bytes<span style="white-space:pre-wrap"> </span>C</div><div style="font-size:12.8px"> <span style="white-space:pre-wrap"> </span>libeay32d.dll!<b><font color="#cc0000">DH_generate_key</font></b>(<wbr>dh_st * dh=0x03316a88) Line 84 + 0xf bytes<span style="white-space:pre-wrap"> </span>C</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Jason</div><div style="font-size:12.8px"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 5, 2017 at 7:52 PM, Jeffrey Walton <span dir="ltr"><<a href="mailto:noloader@gmail.com" target="_blank">noloader@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">>> You should avoid calls to RAND_poll altogether on Windows. Do so by<br>
>> explicitly seeding the random number generator yourself.<br>
><br>
> As a starting point, try something like this:<br>
><br>
> -----<br>
> static ENGINE *rdrand;<br>
><br>
> void init_prng(void) {<br>
> /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */<br>
> OPENSSL_cpuid_setup();<br>
> ENGINE_load_rdrand();<br>
> rdrand = ENGINE_by_id("rdrand");<br>
> if (rdrand) {<br>
> int success = 0;<br>
> if (ENGINE_init(rdrand)) {<br>
> success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND);<br>
> }<br>
><br>
> /***<br>
> Per OpenSSL wiki, call ENGINE_free here regardless of whether we're<br>
> successfully using rdrand. The "functional reference" to rdrand will<br>
> be released when we call ENGINE_finish.<br>
> ***/<br>
> ENGINE_free(rdrand);<br>
> if (! success) ENGINE_finish(rdrand), rdrand = NULL;<br>
> }<br>
><br>
> if (!rdrand && !RAND_status()){<br>
> RAND_screen(); /* this isn't really emough entropy, but it's a start */<br>
> if (!RAND_status()) {<br>
> RAND_poll(); /* try to gather additional entropy */<br>
> }<br>
> }<br>
> }<br>
><br>
> void terminate_engines(void) {<br>
> if (rdrand) ENGINE_finish(rdrand), rdrand = NULL;<br>
> /* similarly for any other engines you use */<br>
> ENGINE_cleanup();<br>
> }<br>
> -----<br>
><br>
> Call init_prng after your OpenSSL initialization code (e.g. after calling OpenSSL_add_all_algorithms), and terminate_engines when you're done using OpenSSL (e.g. just before process exit).<br>
><br>
> Note that this code uses RAND_screen if RDRAND isn't available. RAND_screen is really not a very good idea; it may be OK on workstations, but rarely provides much entropy on servers because they typically aren't doing much screen output. And if you still need entropy after the RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to write your own code that harvests entropy from some source (or sources).<br>
><br>
> Other people may have better suggestions.<br>
<br>
Headless servers without hw entropy sources are tough. In this case I<br>
use hedging. I've got some patches somewhere for 1.0.1, but they won't<br>
apply to 0.9.8.<br>
<br>
Also see:<br>
<br>
* When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities<br>
and Hedging Deployed Cryptography,<br>
<a href="http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf" rel="noreferrer" target="_blank">http://pages.cs.wisc.edu/~<wbr>rist/papers/sslhedge.pdf</a><br>
* When Virtual is Harder than Real: Security Challenges in Virtual<br>
Machine Based Computing Environments,<br>
<a href="http://www.usenix.org/legacy/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf" rel="noreferrer" target="_blank">http://www.usenix.org/legacy/<wbr>event/hotos05/final_papers/<wbr>full_papers/garfinkel/<wbr>garfinkel.pdf</a><br>
<br>
Jeff<br>
</blockquote></div><br></div>